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Abstract 

This talk reports the results of a NASA SHIR project in which 
we developed CSP-Ariel, a verification system for C programs which 
use Unix system calls for concurrent programming, interprocess com- 
munication, and file input and output. I his project builds on ORA s 
Ariel C verification system by using the system of Iloaro’s book Com- 
nmnieatinq Sequential Processes to model concurrency and communi- 
cation. 'Hie system runs in OH A’s Clio theorem proving environment. 
We outline how we use CSP to model Unix concurrency, and sketch 
the CSP semantics of a simple concurrent program. We discuss plans 
for further development of CSP-Ariel. 
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C Formal Verification with 

Unix communication and concurrency 

(NASA SBIR) 

Aim: Verification system for 

• C programs 

• Unix system calls 

• concurrent programming (fork, wait, 
exit, pipe) 


• file and device i/o (read, write, open, 
close). 
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Example program. 


void producer () ; 
void consumer ( ) ; 
int pipedes (2); 

void main ( ) 

{ 

int id; 

if (pipe (pipedes) == -1) return; 

id *= f ork ( ) ; 
if (id -1) return; 

if (id 0) consumer (); 

else producer (); 

return ; 

) 

void producer () 

( 

char c; 
int status; 

while (read (0, &c, 1) != 0) /* 0 = standard input filedes */ 

write (pipedes ( 1 ] , &c, IE- 
close (pipedes { 1 ]) ; 
exit (wait (^status) ) ; 

) 

void consumer () 

{ 

char c; 

close (pipedes ( 1] ) ; /* so that pipe read will fail when producer 

closes its write end of pipe */ 
while ( read (pipedes ( 0 ] , &c, 1) != 0) 

write(l, &c, 1); /* 1 = standard output filedes */ 

exit (0 ) ; 



Example Program Schematic 








Technical Approach 

• C semantics via Ariel operational semantics (pre- 
existing) 

• Unix communication and concurrency semantics 
via Hoare’s CSP 
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CSP (Communicating Sequential Processes) 

• See Hoare’s book, Communicating Sequential Pro- 
cesses. 

• An algebraic language for describing systems of 
processes with synchronous communication. 

• Objects of the language are processes and events. 

• Processes resemble state machines, events the in- 
put alphabet. Deterministic and nondeterministic 
processes. 

• Processes participate in events and are transformed 
by them. 

• Synchronous communication by participation in shared 
events. 
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Unix modeling 


• Unix processes, files, pipes, and certain 
system tables are modeled as determinis- 
tic CSP-processes. 


• Forking, pipe creation, file opening and 
closing, I/O, waiting, and exiting are mod- 
eled as events. 
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Example: Asynchonous pipe communication 


Sending process A, pipe P, receiving process 
B. 




Processes transformed by events 




Exit 



Verification method 


• C program given 

• Ariel front end generates Caliban expression for 
abstract syntax tree of program. 

• Ariel C semantics plus Unix system call semantics 
define denotation of a C program and associated 
files inside operating system as a CSP process. 

• Internal operations of systems of processes hidden 
by CSP concealment operation. 

• We reason about the resulting CSP process in 
Clio. Main tools are induction on traces (event se- 
quences) of processes, and algebraic laws of CSP. 
Clio is a very general theorem prover, and we are 
not limited in the kinds of properties we can prove 
about processes. 
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Producer as a CSP process 





Hiding events: 


Overall process with non-I/O events hidden. 
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CSP-Ariel Development Plan 

• C semantics via Ariel symbolic interpreter (exist- 
ing) 

• Unix communication and concurrency semantics 
via deterministic CSP (initial work completed). 

• Extensions to support network communication planned 
(sockets). 

• Nondeterministic CSP and event concealment for 
specification and modularity (planned) 

• Graphic specification support using Romulus inter- 
face (planned) 



Clio, Caliban, and, Ariel 


• Ariel is a semantic verification system for a sub- 
set of C, written in Caliban and the Clio met- 
alanguage. Floating point, overflow support via 
asymptotic correctness. 

• Caliban is a lazy, purely functional language based 
on recursive equations and pattern matching. 

• Clio is a higher-order logic theorem prover. Cal- 
iban is its term definition language. Clio's main 
proof methods are induction on Caliban defini- 
tions, term rewriting, and case splitting. 




